Feedback sent successfully Thank you for your valuable feedback. We will use it to make matomo.org even better.

How to configure Matomo for security

The Matomo (Piwik) team does its best to ensure that the Matomo source code is secure. We do this by:

proactively rewarding scientists for finding bugs

conducting and supporting external professional security reviews

conducting code reviews on commits
However, these security steps are restricted to the Matomo (Piwik) software. Once you download and install Matomo, more factors come into play.

Tips that will help you keep your Matomo secure

There are a few things that you can easily change in your routine to make your data more secure. This page will specifically explain how to harden your Matomo (Piwik) installation. This will ensure that it is difficult for anyone to enter, modify or simply read unwanted data on your server. Please check that the person who installs Matomo and handles the web server has read the following guide and spent some time implementing some or all of these changes.

Here are a few tips to make your Matomo (Piwik) server more secure and analytics data safer:

Install Matomo (Piwik) in a separate MySQL Database
By doing this you are making sure that if a hacker gains access to your CMS database, they won’t be able to access Matomo, and vice versa.

Use a New MySQL user and password for your Matomo (Piwik) DB
If you use the same user and password everywhere, you are making it easy for hackers to access your data.
Make sure the usernames and passwords are unique for each database, ensuring that SQL injection would only impact one product.

Always use Matomo (Piwik) over https://
Sensitive information in Matomo includes the login, password, and token_auth (used for API authentication). This information is regularly included in the responses from the Matomo server, and could be viewed by anyone seeing the traffic. Public or unencrypted Wi-fi networks are easy to spy on. The solution is relatively simple: if you really care about your security and want to make sure that nobody could access your password or API tokens, make sure you always connect to Matomo over https://

Use the latest PHP, MySQL, web server (Apache/Nginx), Operating System (Linux)
Performance and security updates are often released by these popular tools required by Matomo (Piwik).
We highly recommend that you only use free software, for example Linux+Apache/Nginx and use the latest versions.
In case you are using Nginx, take a look at the Matomo Nginx configuration to make sure access to temporary files is blocked.
Often, you can also configure each piece of software to increase security e.g. enabling the firewall in your OS, using .htaccess in Apache, etc.

Purchase and Download the Activity Log plugin: Keep an eye on everything that is happening on your Matomo (Piwik) platform with the Activity Log plugin, also known as audit log or audit trail. It allows Matomo Super Users to quickly review the actions performed by members of your organization or clients, and also lets every user review details of their own actions. This premium plugin was created by the makers of Matomo and is recommended for all businesses especially when more than one person is using Matomo.

List of best practices for the professional Matomo administrator

Here are our best practices for the professional Matomo (Piwik) administrator:

Always use strong, complicated, new passwords
Using secure passwords for all of your Matomo (Piwik) users, all users with Super User access, and your Matomo MySQL database, are fundamental ways to boost your security.
Use the Strong Password Generator if you can’t come up with one on your own.

Use SSH (or sFTP) rather than FTP
These days, it is easy to listen on wi-fi networks and sniff traffic. Make sure that all of your connections to the Matomo (Piwik) server are encrypted and nobody can see your logins or password.
If you must use FTP, do not store the password in your ftp software (which would be easy prey for malware already running on many Windows computers).

Keep your own PC up-to-date
Always keep your own computer up to date, including the Flash plugin, your browser(s), and operating system.On a Windows computer, always use a virus checker to minimize the risk of malware. Do not use Acrobat Reader: it has had too many severe security holes in the past. Instead, use Sumatra PDF.

Change Matomo (Piwik) settings to respect your Users Privacy
Check out our guide to Enable Privacy features in Matomo and learn more about data privacy for your website visitors’ data.

Other tips

Use .htaccess to restrict access to a few files only, and restrict by IP address
If you use an Apache web server, it’s easy to use .htaccess files to restrict access to Matomo (Piwik) to your IP address, or many more options. Check out the examples in the htaccess forum post.
When you restrict access to files, please note that you need to allow external access to the following files: piwik.php, piwik.js, and also to the URL index.php?module=CoreAdminHome&action=optOut (for the opt-out iframe).

Enable the Matomo (Piwik) Security Plugin and Modify all Security Issues to green
In Matomo, click on the admin link Marketplace and then install the SecurityInfo plugin which will automatically test your Matomo server security and reports a list of security recommendations.
For example, it tests to make sure that the PHP and Matomo versions are the latest, that display_errors, magic_quotes_gpc are disabled, and many other tests.

Example of the SecurityInfo result page

We highly recommend that all Matomo (Piwik) administrators enable the SecurityInfo plugin, and then view the Administration > Security menu. You can update the server and PHP configurations to follow the recommendations and try to have all items in green.

In particular, check that you disabled the php setting ‘display_errors’ and instead log all errors in a error log file.

A final (optional) security tip: use Firefox for all your web browsing.
The best free software browser!
If you have any feedback or additions to this list, please let us know at security at piwik.org.

Feedback on this page

Name (required)

Email (required)

Your feedback (required)

Your information will be used only to improve our pages and to answer you. Your data will be processed by us, our hosting provider, and our support ticket provider. For more information have a look at our privacy policy.

Become a partner

Privacy

Sign up for our newsletter

We are constantly adding new features and content to the leading All-In-One Analytics Platform that gives you control over your data. If you want to stay up to date with everything that is happening, feel free to subscribe below. You can unsubscribe at any time from it. The newsletter service uses MadMimi. Learn more about it within our privacy Policy page.